Redazione RHC : 16 September 2025 07:04
US Senator Ron Wyden sent a letter on September 10 to the Federal Trade Commission (FTC) requesting an investigation into Microsoft, accusing the company of “gross negligence” in the field of cybersecurity.
The reason was the use of an obsolete and insecure RC4 encryption algorithm in Windows, which is still the default algorithm for Active Directory. According to the senator’s office investigation, it was this feature that played a key role in a large-scale attack on the medical company Ascension in 2024, which resulted in the compromise of 5.6 million patient data.
Wyden emphasized that, through “dangerous engineering,” an attacker could use a single infected employee laptop to distribute ransomware to thousands of systems via Active Directory.
In the case of Ascension, the initial entry point was an employee’s device, used to perform a Bing search via Microsoft Edge. Once logged in, the hackers used kerberoasting to brute-force the passwords of privileged accounts and then spread the ransomware throughout the network.
RC4, created in 1987 by Ron Rivest, has long been recognized as vulnerable: the algorithm was cracked in 1994 and has been successfully attacked numerous times since. It has been removed from use in most communication protocols, but remains the core mechanism of Kerberos authentication in Active Directory. Despite the availability of more modern algorithms, many organizations continue to use the default settings. This configuration allows attackers to request password-encrypted tickets from the Kerberos server, which can be transferred outside the network and decrypted using powerful GPUs. Due to the lack of salts and iterations in the MD4 hash used, an attacker can try billions of options per second.
Matt Green, a cryptographer at Johns Hopkins University, called the Kerberos architecture with RC4 “a bug that should have been fixed decades ago.” He noted that even long passwords that formally comply with the recommendations are not safe from brute-force attacks when using this scheme. An additional risk factor is the widespread misconfiguration of Active Directory, when regular users access administrator-only functions. This makes kerberoasting an even more accessible attack method.
In response, Microsoft stated that RC4 usage represents less than 0.1% of traffic and that the company strongly discourages the use of this algorithm. At the same time, the company acknowledged that a complete shutdown would result in the inoperability of several clients, so the phaseout of RC4 is planned gradually. According to Microsoft, in the first quarter of 2026, new installations of Windows Server 2025-based Active Directory domains will automatically operate without RC4 support. Additional measures are being prepared for existing systems that should minimize risks while maintaining compatibility.
Wyden, however, believes the company is deliberately hiding the danger, limiting itself to low-profile posts on tech blogs rather than directly alerting enterprise customers. He also criticized Microsoft’s business model, in which core software remains vulnerable while additional cybersecurity services are sold separately. He said it resembles “an arsonist selling firefighting services to his victims.” Experts recommend organizations follow security best practices for Active Directory accounts. Microsoft, for its part, says it is in dialogue with the senator and is ready to collaborate with government agencies, emphasizing that the roadmap for abandoning RC4 has already been approved.
Redazione